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J. Rosenberger 
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Attorney Docket No.: WIMET-1-21663 
Group Art Unit: 2171 
Examiner: S. Metjahic 



Title: 



SYSTEM AND METHOD FOR WIRELESS LOCAL AREA NETWORK 



OPERATIONAL MONITORING AND INTRUSION DETECTION 

PETITION TO MAKE SPECIAL UNDER 37 C.F.R. § 1.102 

Seattle, Washington 98101 

May 24, 2005 

TO THE COMMISSIONER FOR PATENTS: 

Applicant requests that the above-identified application be made special and examination 
accelerated according to 37 C.F.R. § 1.102(d). As discussed below, applicant submits that the 
present application with this petition meets the requirements set forth in the 
M.P.E.P. § 708.02(VHI). 

In regard to M.P.E.P. § 708.02(VIII)(A), the fee set forth in 37 C.F.R. § 1.17(h) is 
submitted herewith. 

In compliance with M.P.E.P. § 708.02(VIII)(B), applicant submits that the claims of the 
present application are directed to a single invention. 

Consistent with M.P.E.P. § 708.02(VIII)(C), applicant submits that a pre-examination 
search has been made by the World Intellectual Property Organization (WIPO) for a PCT 
application that corresponds to the present application. Copies of the International Search Report 
and Preliminary Examination Report are attached. Applicant further submits that the claims of 
the PCT application (the subject matter of the pre-examination search) are of the same or similar 
scope to the claims of the present application. 
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In regard to M.P.E.P. § 708.02(VIII)(D), a copy of each reference cited in the 
International Search Report is enclosed. 

In compliance with M.P.E.P. § 708.02(VIII)(E), a detailed discussion of the references 
and how the claimed subject is patentable over the references is set forth below. 

U.S. Patent Application Publication No. 2003/0217283 AL to Hrastar et al. ("Hrastar") 

Hrastar provides a system for detecting and responding to security violations. The 
Hrastar system operates on all wireless network traffic. As a wireless network frame (wireless 
network traffic) is received, an intrusion detection system (IDS) executes a series of tests on the 
packets of information in the network frame. The tests include a signature-based test, a 
protocol-based test, an anomaly-based test, and a policy deviation-based test. 

The signature-based test analyzes information in the wireless network traffic to detect the 
"signature" of known security threats. In this case, "signature" should be viewed as a term of art, 
referring to patterns and sequences in the data that are known security threats. As a point of 
reference, computer viruses are also commonly recognized by their "signature," i.e., the presence 
of particular sequences or patterns in data to identify it as a potential security threat/virus. 

The protocol-based test determines whether or not the protocol used in the network traffic 
is legitimate. As stated in Hrastar, emitting a large number of association or disassociation 
requests in a short interval is not a legitimate use of the protocol. 

The anomaly-based test analyzes whether the particular network activity falls outside of 
the "norm." Large transfers of data from one location to another might fall outside of the norm, 
and trigger an appropriate response. 

The policy-based test determines whether the activity violates predetermined policies. 
Access by a particular client to a restricted subnet may constitute a policy-based violation. 
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If, based on the results of the tests, unauthorized wireless network traffic is detected, the 
IDS may take appropriate action. The actions include notification of administrators, as well as 
communication measures (called active measures) designed to thwart the wireless 
connection/activity. These active measures include introducing CRC errors into the wireless 
stream, "trapping/mapping" the intruder to determine its location, introducing "chaff 1 into the 
wireless stream to reduce the probability that an intruder can break the system encryption, 
jamming by broadcasting noise in the spectrum such that no workstation can connect to an 
access point, dynamic channel changing, and the like. 

U.S. Patent Application Publication No. 2003/0217289 Ah to Ammon et al. ("Amnion") 

In addition to a "regular" network that includes wireless access points, Ammon discloses 
a wireless intrusion detection system (WED system). The Ammon system includes one or more 
WED nodes and at least one WID collector. 

Purportedly, the WED nodes monitor the wireless network for both authorized and 
unauthorized access. The WED nodes periodically report events (information regarding 
unauthorized access) to the WID collector. This is reported in an out-of-band communication to 
the WID collector. The WED collector amasses the event information regarding unauthorized 
events, and makes the information available to system administrators. 

While Ammon generally references monitoring for unauthorized wireless access, little is 
discussed. Rather, Ammon appears more focused at the interaction between the WID nodes and 
the WID collector, and in reporting unauthorized access to a system administrator in various 
formats. 

The Claims Distinguished from Hrastar and Ammon 

While both Hrastar and Ammon are generally directed to unauthorized wireless activity, 
neither of the references include the following limitations as found in independent Claim 1 : 

LAW OFFICES OF 
CHRJSTENSEN O'CONNOR JOHNSON KINDNESS*^ 
1420 Fifth Avenue 
Suite 2800 
Seattle, Washington 98101 
-3- 206.682.8100 

WIMETA21663 PETITION.DOC 



passively monitors for network traffic received from an unknown wireless device; 

creates a device profile of the unknown wireless device; 

determines whether the unknown wireless device is an authorized device; and 

if the unknown wireless device is determined to be an authorized device, permits 
the network traffic from the unknown wireless device to pass to the computer 
network. 

Unlike the present invention, Hrastar subjects all wireless network activity to determine 
whether it is authorized/unauthorized. In contrast, the present invention monitors for wireless 
activity from an unknown wireless device. In other words, wireless network originating from a 
known/authorized device will pass through without any obstruction or challenge. 

Neither Hrastar nor Ammon teach or suggest creating a device profile of the unknown 
device. As mentioned above, Hrastar challenges all wireless network activity, subjecting all 
traffic to a series of tests designed to detect unauthorized access. However, this is not a profile 
of the "unknown device" for at least two reasons: (1) Hrastar challenges all network traffic, not 
just unknown devices, and (2) Hrastar subjects information to tests, which is substantially 
distinct from the positive action of creating "a device profile of the unknown device." 

It follows that as Hrastar and Ammon fail to teach or suggest creating a device profile, it 
further follows that the two cited references fail to teach or suggest determining whether the 
unknown wireless device is an authorized device according to the device profile. 

It also follows that cited references fail to teach or suggest permitting "the network traffic 
from the unknown wireless device to pass to the computer network" "if the unknown wireless 
device is determined to be an authorized device." 
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Conclusion 



The granting of this petition and an early Office Action on the merits of the application 
are respectfully requested. 



I hereby certify that this correspondence is being deposited with the U.S. Postal Service in a sealed 
envelope as first class mail with postage thereon fully prepaid and addressed to Mail Stop Amendment, 
Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450, on the below date^ 



TSP:lal 

Attachments: 

International Search Report 
Cited references 

Preliminary Examination Report 



Respectfully submitted, 




Tracy S. Powell 
Registration No. 53,479 
Direct Dial No. 206.695.1786 
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Applicant 
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The applicant is hereby notified that the international search report has been established and is transmitted herewith. 
Filing of amendments and statement under Article 19: 

The applicant is entitled, if he so wishes, to amend the claims of the international application (see Rule 46): 

When? The time limit for filing such amendments is normally two months from the date of transmittal of the 
international search report. 

Where? Directly to the International Bureau of WIPO, 34, chemin des Colombettes 
1211 Geneva 20, Switzerland, Facsimile No.: (41-22) 740.14.35 

For more detailed instructions, see the notes on the accompanying sheet. 

The applicant is hereby notified that no international search report will be established and that the declaration under 
Article 17(2)(a) to that effect is transmitted herewith. 

With regard to the protest against payment of (an) additional fee(s) under Rule 40.2, the applicant is notified that: 

] the protest together with the decision thereon has been transmitted to the International Bureau together with the 

applicant's request to forward the texts of both the protest and the decision thereon to the designated Offices. 
] no decision has been made yet on the protest; the applicant will be notified as soon as a decision is made. 

4. Reminders 

Shortly after 18 months from the priority date, the international application will be published by the International Bureau. If the 
applicant wishes to avoid or postpone publication, a notice of withdrawal of the international application, or of the priority claim, 
must reach the International Bureau as provided in Rules 90 bis. 1 and 90 bis. 3, respectively, before the completion of the technical 
preparations for international publication. 

Within 19 months from the priority date, but only in respect of some designated Offices, a demand for international preliminary 
examination must be filed if the applicant wishes to postpone the entry into the national phase until 30 months from the priority 
date (in some Offices even later); otherwise the applicant must, within 20 months from the priority date, perform the prescribed 
acts for entry into the national phase before those designated Offices. 

In respect of other designated Offices, the time limit of 30 months (or later) will apply even if no demand is filed within 19 months. 

See the Annex to Form PCT/IB/301 and, for details about the applicable time limits, Office by Office, see the PCX Applicant's 
Guide, Volume II, National Chapters and the WIPO Internet site. 
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of the Report 

With regard to the language, the international search was carried out on the basis of the international application in the 
language in which it was filed, unless otherwise indicated under this item. 

the international search was carried out on the basis of a translation of the international application furnished to this 
Authority (Rule 23.1(b)). 

With regard to any nucleotide and/or amino acid sequence disclosed in the international application, the international 
search was carried out on the basis of the sequence listing: 

contained in the international application in written form. 

filed together with the international application in computer readable form. 

furnished subsequently to this Authority in written form. 

furnished subsequently to this Authority in computer readable form. 

the statement that the subsequently furnished written sequence listing does not go beyond the disclosure in the 
international application as filed has been furnished. 

the statement that the information recorded in computer readable form is identical to the written sequence listing has 
been furnished. 

Certain claims were found unsearchable (See Box I). 

Unity of invention is lacking (See Box II). 
regard to die title, 

the text is approved as submitted by the applicant. 

the text has been established by this Authority to read as follows: 



5. With regard to the abstract, 

| j the text is approved as submitted by the applicant. 

[XI the text has been established, according to Rule 38.2(b), by this Authority as it appears in Box III. The applicant may, 
within one month from the date of mailing of this international search report, submit comments to this Authority. 

6. The figure of the drawings to be published with the abstract is Figure No. 2 

DK] as suggested by the applicant. None of the figures 

I 1 because the applicant failed to suggest a figure. 
[Pjj because this figure better characterizes the invention. 
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Box III TEXT OF THE ABSTRACT (Continuation of Item 5 of the first sheet) 



The technical features mentioned in the abstract do not include a reference sign between parentheses (PCT Rule 8. 1(d)). 
NEW ABSTRACT 

The present invention provides a system and method for providing real-time wireless network (200) monitoring and intrusion 
detection (202). The present invention profiles wireless devices (134) and maintains a database of known/authorized wireless device 
profiles (134). Wireless devices (134) are analyzed to determine the threat level they pose to the network (110), and if the threat 
level exceeds a predetermined threshold, the invention refuses to bridge the network traffic from the wireless devices (134) to the 
wired network (110). The present invention provides reporting of the wireless activity, the known and unknown wireless devices 
(134), and the threat levels posed by the wireless devices (134). If an unknown wireless device is determined to be, or may be, a 
wireless access point, an alert is generated, such as notifying a system administrator to take appropriate action. 
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INTERNATIONAL PRELIMINARY EXAMINATION REPORT 



International application No. 
PCT/US03/30839 



I. Basis of the report 



1. With regard to the elements of the international application:* 
/\ the international application as originally filed. 



^ the description: 

pages 1-19 as originally filed 

pages NONE , filed with the demand 

pages NONE , filed with the letter of 



^ the claims: 

pages 20-28 as originally filed 

pages NONE , as amended (together with any statement) under Article 19 

pages NONE , filed with the demand 

pages NONE , filed with the letter of 



^ the drawings: 

pages l-U as originally filed 

pages NONE , filed with the demand 

pages NONE , filed with the letter of • 

| | the sequence listing part of the description: 

pages NONE L as originally filed 

pages NONE , filed with the demand 

pages NONE , filed with the letter of • 

2. With regard to the language, all the elements marked above were available or furnished to this Authority in the 
language in which the international application was filed, unless otherwise indicated under this item. 
These elements were available or furnished to this Authority in the following language which is: 

j~] the language of a translation furnished for the purposes of international search (under Rule23.1(b)). 

| | the language of publication of the international application (under Rule 48.3(b)). 

| | the language of the translation furnished for the purposes of international preliminary examination(under Rules 
55.2 and/or 55.3). 

3. With regard to any nucleotide and/or amino acid sequence disclosed in the international application, the 
international preliminary examination was carried out on the basis of the sequence listing: 

| | contained in the international application in printed form. 

filed together with the international application in computer readable form. 
| ] furnished subsequently to this Authority in written form. 
| | furnished subsequently to this Authority in computer readable form. 

| | The statement that the subsequently furnished written sequence listing does not go beyond the disclosure in the 

international application as filed has been furnished. 
| | The statement that the information recorded in computer readable form is identical to the written sequence listing 

has been furnished. 

4. The amendments have resulted in the cancellation of 

| | the description, pages NONE 

Fj the claims, Nos. NONE 

| | the drawings, sheets/fig NONE 

5. This report has been established as if (some of) the amendments had not been made, since they have been considered to go 
beyond the disclosure as filed, as indicated in the Supplemental Box (Rule 70.2(c)).** 

* Replacement sheets which have been furnished to the receiving Office in response to an invitation under Article Mare referred to in 
this report as "originally filed" and are not annexed to this report since they do not contain amendments (Rules 70.16 and 70.17). 
** Any replacement sheet containing such amendments must be referred to under item 1 and annexed to this report. 
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V. Reasoned statement under Rule 66.2(a) (ii) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 

1. STATEMENT 



Novelty (N) Claims ±66 YES 

Claims NONE NO 

Inventive Step (IS) Claims _U66 YES 

Claims NONE NO 

Industrial Applicability (IA) Claims U66 YES 

Claims NONE NO 



2. CITATIONS AND EXPLANATIONS 

Claims 1-66 meet the criteria set out in PCT Article 33(2)-(3), because the prior art does not teach or fairly suggest passively 
monitoring for network traffic received from an unknown wireless device, creating a device profile for the unknown wireless device, 
determining whether the unknown wireless device is an authorized device, and if the unknown wireless device is determined to be an 
authorized device, permitting network traffic from the unknown wireless device to pass to the computer network. 



NEW CITATIONS 

NONE 
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